Risk-based audit planning: how to allocate hours by risk score

The most common internal audit plan we see at first engagement looks like this. Twenty-five processes, mapped to a three-year cycle. Eight or nine processes audited in year one, the next batch in year two, the remainder in year three. The cycle restarts. Total audit hours roughly equal across the years. Audit committee approves the plan annually with minor adjustments.

This is a reasonable plan in the sense that it produces coverage. Over three years, every process is audited once. The audit committee can show the rotation. The internal audit function is operating.

It is also wasteful in a specific way. The plan does not distinguish between processes by risk. A high-volume revenue process at a growth-stage company is audited at the same depth and frequency as a low-volume admin function. The hours are not where the risk is.

What risk-based planning actually means

Risk-based audit planning allocates audit hours to processes in proportion to their assessed risk. High-risk processes get more hours, more frequently. Low-risk processes get fewer hours, less frequently. The total budget is the same; the distribution is different.

The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing — specifically Standard 2010 (Planning) — requires that the chief audit executive establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation's goals. The standard is principles-based; it does not prescribe how risk is scored or how hours are allocated.

ICAI's Standards on Internal Audit (SIA 200 series) align with the IIA position. Risk-based planning is the expectation; the methodology is the audit function's choice.

The five-axis risk score

The scoring model we use across engagements has five axes. Each process is scored 1 to 5 on each axis. The total — sum or weighted sum, depending on the design — drives audit hour allocation.

Axis one: financial materiality

How large is the process in financial terms? Revenue cycle at a ₹2,000 crore manufacturer is materially larger than the petty cash process. Procurement is larger than ESOP administration. The scoring:

5: process touches more than 20% of revenue or 20% of total expenses.

4: process touches 10 to 20%.

3: 5 to 10%.

2: 1 to 5%.

1: less than 1%.

Axis two: regulatory exposure

What is the regulatory consequence if the process fails? Tax compliance has direct regulatory exposure. Customer data handling under DPDP has regulatory exposure. Internal IT operations may have less. The scoring:

5: direct sector regulator exposure with material penalty (RBI, SEBI, IRDAI).

4: tax or labour regulator exposure with material penalty.

3: governance regulator exposure (MCA, ROC) with moderate penalty.

2: indirect regulatory exposure.

1: minimal regulatory exposure.

Axis three: fraud susceptibility

How exposed is the process to fraud, based on the ACFE base rates and the company's specific environment? Procurement is highly susceptible. Cash handling is highly susceptible. Revenue recognition at quarter-end is susceptible. R&D may be less so. The scoring:

5: process is a known high-frequency fraud target (procurement, cash, payroll, expense reimbursement).

4: process has moderate fraud susceptibility (revenue recognition, inventory).

3: process has fraud susceptibility under specific conditions (treasury, intercompany).

2: low fraud susceptibility.

1: minimal fraud susceptibility.

Axis four: last-audit-finding count

What did the most recent audit of this process find? A process with 12 findings in its last audit is higher-risk than one with 2. The scoring:

5: more than 8 findings in the last audit, or any material weakness.

4: 5 to 8 findings.

3: 2 to 4 findings.

2: 1 finding.

1: no findings, or process has been audited and is currently clean.

Axis five: time since last audit

How long has it been since the process was audited? A process audited three years ago has more accumulated change than one audited last year. The scoring:

5: more than 3 years, or never audited.

4: 2 to 3 years.

3: 1 to 2 years.

2: 6 months to 1 year.

1: less than 6 months.

From score to hours

Each process has a score between 5 (minimum, all axes at 1) and 25 (maximum, all axes at 5). The score determines the audit hour allocation.

A worked example. A ₹2,000 crore manufacturing company has 25 audit-able processes. Total annual audit budget: 4,500 hours, which is roughly 12 to 14 audits depending on size, with a small reserve for ad-hoc work.

Process scoring produces a distribution. Typically: 3 processes score 20+, 6 score 15 to 19, 10 score 10 to 14, 6 score 5 to 9.

Hour allocation: the top 3 (score 20+) get 1,800 hours combined — annual audits, deep. The next 6 (score 15 to 19) get 1,500 hours — annual or biennial audits, moderate depth. The middle 10 (score 10 to 14) get 1,000 hours — every 2 to 3 years, standard depth. The bottom 6 (score 5 to 9) get 200 hours — every 4 to 5 years, light coverage.

This allocation puts 73% of audit hours on the top 9 processes, which carry the highest risk. A uniform plan would have put 36%.

Where uniform plans waste hours

Three patterns of waste.

Auditing the same low-risk process every three years at the same depth as a high-risk one. A fixed-asset register audit at a low-asset-intensity company can be done quickly with a light scope. A uniform plan often allocates equal depth.

Auditing high-risk processes infrequently. A revenue recognition process at a SaaS company with complex contracting should be audited annually. A uniform plan puts it on a three-year rotation.

Missing emerging risks. A new product line, a new geography, a new acquisition — these are not in the rotation if they are not on the original process list. The risk score has to be refreshed annually to catch these.

The annual refresh

The risk score is not static. The chief audit executive refreshes it annually as part of the plan-setting cycle. Inputs:

Internal audit findings from the prior year (updates axis four).

Time-since-last-audit incremented (updates axis five).

Regulatory developments — new RBI Master Direction, new SEBI regulation, new tax law (updates axis two).

Business changes — new product lines, organic growth, acquisitions, divestments (updates axis one).

Fraud incidents in the prior year and in industry peers (updates axis three).

The refreshed score produces a new hour allocation. The new plan goes to the audit committee for approval.

A worked example: the ₹2,000 crore manufacturer

To make this concrete, here is a sample annual plan for a mid-size manufacturer with 25 processes and 4,500 hours.

Top tier (annual, deep): Revenue and order-to-cash (450 hours), Procurement and procure-to-pay (450 hours), Inventory and costing (400 hours), Treasury and FX (300 hours). Total: 1,600 hours, 36% of budget.

Second tier (biennial, moderate): Payroll (200 hours), Fixed assets (200 hours), Tax (direct and indirect, 350 hours), IT general controls (300 hours), Statutory compliances (200 hours), Financial close and reporting (250 hours). Total: 1,500 hours, 33% of budget.

Third tier (every 2-3 years, standard): ESOP and equity, Borrowings, Related parties, R&D and innovation, Logistics, Branch operations (in non-manufacturing locations), Customer service, Insurance, Legal and contracts, Internal training and compensation. 800 hours combined, 18% of budget.

Fourth tier (every 4-5 years, light): Petty cash, Office facilities, CSR, Internal communications, Routine admin functions, Travel desk. 200 hours combined, 4% of budget.

Reserve for special projects, post-incident reviews, ad-hoc requests: 400 hours, 9% of budget.

What the audit committee should approve

Three things, not one.

The risk score itself. Not the hour allocation in isolation — the underlying scoring. The committee should be able to look at each process, see its five-axis score, and challenge any score that does not match their view of risk.

The hour allocation. Where the hours are going, and the implicit prioritisation.

The exceptions. Any process that is in scope this year but not in the natural rotation, or any process that has been deferred. With reasons.

How to introduce risk-based planning

If the function is moving from uniform planning to risk-based planning, the transition takes one full cycle to land. The first year, the new scoring produces a plan that looks different from prior years. Some processes are audited more than expected; others less. The audit committee will ask questions.

The chair's job is to defend the methodology, not the specific allocation. If the methodology is sound, the allocation follows. If the methodology is contested, the discussion shifts to whether the axes are right, whether the weighting is right, whether the score thresholds are right. These are productive conversations.

By the second year, the rhythm settles. The risk score refresh becomes a familiar exercise. The plan changes year over year because the risks change.

What this is not

Risk-based planning is not a substitute for judgement. The chief audit executive's judgement on emerging risks, on areas where management discomfort suggests deeper looking, on patterns across findings — these continue to matter. The score is a structured input, not the only input.

It is also not a substitute for the operational discipline of running good audits. A high-risk process audited well produces useful findings. A high-risk process audited poorly produces a report without insight, regardless of how the hours were allocated.

What changes when this works

Two visible changes.

First, audit findings cluster differently. The top-tier processes produce more findings per audit because they are being looked at more often and more deeply. The bottom-tier processes produce fewer findings, which is correct — they are lower risk.

Second, the audit committee's conversations shift. The discussion is no longer about whether every process has been audited. It is about whether the risk view is current and whether the audit response is calibrated.

The audit hour is the function's scarce resource. Spending it uniformly produces uniform results, which is not the same as good results. Spending it where the risk is produces a function that is materially more valuable to the organisation, at the same cost.